1.3 million online fashion shoppers exposed after data breach at UK ecommerce provider

Brands affected include Jaded London, AX Paris, and Perfect Handbags.

1.4 million online fashion shoppers exposed after data breach at ecommerce provider

Customers of a number of UK clothing and accessories websites have had their personal information exposed following a security breach at an IT services provider that they were sharing.

Brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, DLSB (Dirty Little Style Bitch), and Traffic People entrusted web development and ecommerce company Fashion Nexus to help them build an online store.

Unfortunately, something went wrong (Fashion Nexus, and its sister company White Room Solutions, refuses to say what), and white hat hacker Taylor Ralston was able to access a server containing a shared database containing personal details of the online clothing stores’ customers.

In all, the exposed information contains personal information of approximately 1.3 million users, including password hashes (MD5 and SHA-1, both salted), names, dates of birth, email addresses, phone numbers, and other data. There is no indication that payment card information was put at risk.

You won’t know any of this from visiting the Fashion Nexus or White Room Solutions websites, as they are refusing to issue any public statement.

When I asked White Room if they would be issuing a statement, their response was pretty emphatic.

Whiteroom email

(By the way, in an unconnected boo-boo, the White Room Solutions and Fashion Nexus websites don’t support HTTPS - which doesn’t exactly instil confidence that they’re top of their game when it comes to advising on ecommerce.)

No https

Fashion nexus website

However, White Room Solutions does tell me that it has informed the affected brands, and that it is leaving it up to the affected brands to contact their exposed customers about their data being breached, as well as inform the Information Commissioner’s Office (ICO).

White Room Solutions were also prepared to confirm to me privately that they had resolved the security issue:

The breach was via a site that has subsequently been taken down and is considered resolved.”

I can find no mention of the data breach on the websites of the brands involved, so new customers will not know that there have been security problems in the past.

If any customers of the affected online stores happen to read this I would be fascinated to hear if you have received a notification from the websites concerned, warning you that your personal data was put at risk.

Update 31 July 2018: One of the affected firms, Jaded London, has issued the following statement:

Jaded London are aware of a data breach that affected a historic database, stored on a server run by Fashion Nexus. The information that was accessible at this time was limited to data related to shipping of archived orders and no time was sensitive data, such as payment details, stored or accessible. Jadedldn.com is not and was not managed by Fashion Nexus at the time of the breach, and at no time was the Jadedldn.com live website compromised. As part of our dedication to the security of our customers and their data, we are in contact with the ICO and continue to review our security with our current developers and providers. We would welcome any customers who are concerned about their data to contact us directly.

Tags:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

11 Responses

  1. Kaya

    July 31, 2018 at 10:11 am #

    I have been a costumer at AX Paris for a couple of years. I have not received any information about the data breach incident.

    • Graham Cluley in reply to Kaya.

      July 31, 2018 at 10:34 am #

      Sorry to hear that Kaya. I contacted AX Paris before publishing my article, but still haven’t received a response from them.

  2. Sam

    July 31, 2018 at 11:28 am #

    I got notification via haveibeenpwned but not from the site direct yet. Being a whitehat who did the breach, does that mean there is no actual breech but only the possibility that someone was able to do before what the whitehat did?

    Either way, good idea to not only use a password manager (I personally use LastPass) but also ensure you use a reputable bank for making online purchases as they often give additional protection when websites/password fail

    • Graham Cluley in reply to Sam.

      July 31, 2018 at 11:35 am #

      Well, a security breach occurred because the data was accessible to an unauthorised party.

      As far as I’m aware the whitehat hacker who stumbled across the data has no intentions to make it public. However, we have no way of knowing how long the data was at risk, or if other unauthorised parties may have accessed it.

      It’s disturbing that no-one has seen any data breach notifications from the companies concerned yet, and if this site and HaveIBeenPwned hadn’t shone a light on it maybe no-one would have ever known.

  3. Matt

    July 31, 2018 at 1:28 pm #

    Is there a list of companies involved? I recieved a notification from ‘have I been pwned’ but nothing from anywhere I have shopped with.

    • Graham Cluley in reply to Matt.

      August 1, 2018 at 12:01 am #

      I’m afraid that if you’re not a customer of one of the companies I list above you will probably have to contact White Room Solutions/Fashion Nexus to ask them how come your credentials were in their database. Hmm. Good luck with that…

  4. Hans

    July 31, 2018 at 2:38 pm #

    Fashion Nexus discloses the breach on its website now. White Room, as far as I can see, does not.

  5. John

    August 1, 2018 at 3:19 pm #

    From the Fashion Nexus website:

    Customer records expose nothing more than email address, encrypted password, optionally name, and optionally telephone number.

    Is this true? This seems at odds with the list of data fields mentioned above.

    • Graham Cluley in reply to John.

      August 1, 2018 at 4:14 pm #

      No, it was more information than that. For instance, some customers’ physical addresses, IP addresses, etc.

      Also, according to the white hat who came across the problem, DLSB’s database was not compromised but customer order information did leak from a poorly-secured mailbox, “due to smtp config information left there by White Room.”

  6. J Batiste

    August 2, 2018 at 4:59 pm #

    On balance, I thought the comment about the company websites not supporting HTTPS was unfair. These are purely informational sites as far as I can see. There are no forms, no personal information, no accounts and therefore are of negligible benefit to anyone who might target the sites for nefarious purposes.

    Having been in the IT Security Industry for around 15 years, I do appreciate how potentially serious this could be, however each case must be judged by its own merit.

    Since GDPR it seems there is a bit of a witch-hunt for the most minor of slip-ups for what are generally small companies, struggling to make a buck in a very competitive industry. The negligence I have seen in large corporations makes this data breach seem petty in comparison, hardly worthy of a headline. Given the traditionally ‘low impact’ nature of the information leaked in this case, if it is indeed as reported, I think we have to take it with a pinch of salt.

    • Graham Cluley in reply to J Batiste.

      August 2, 2018 at 7:39 pm #

      I agree with you that the lack of HTTP support on the Fashion Nexus and White Room Solutions sites is not the worst security transgression in the world - but I do believe it says something about how “on-the-ball” they are when it comes to the direction the web (and browsers) are moving.

      The real problem here is the data breach, and the lack of transparency, and the failure to inform customers. I suspect that customers simply would never have known about this incident at all unless parties external to the company that was hacked had got involved.

      Kudos to the white hat for attempting to responsibly disclose his findings to the company (they didn’t reply to him), and then his reaching out to me and Troy Hunt from HaveIBeenPwned.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.